Secret Scanner - Security Audit MCP Server

Sample Code with Secrets

                # config.py - Application configuration
                
                import os
                
                # Database configuration
                DATABASE_URL = "postgresql://admin:password123@db.example.com/prod"
                
                # AWS Credentials
                AWS_ACCESS_KEY_ID = "AKIAIOSFODNN7EXAMPLE"
                AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
                
                # API Keys
                STRIPE_API_KEY = "sk_test_FAKE_EXAMPLE_KEY_1234567890"
                GITHUB_TOKEN = "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
                
                # JWT Secret
                JWT_SECRET = "super_secret_jwt_signing_key_12345"
            

Secrets Found

Files Affected

0.8s

Scan Duration

Findings

AWS Access Key ID High

config.py:9

Hardcoded AWS access key detected. This could allow unauthorized access to AWS resources. Recommendation: Use environment variables or AWS IAM roles.

AWS Secret Access Key High

config.py:10

Hardcoded AWS secret key detected. Combined with access key, provides full account access. Recommendation: Rotate credentials immediately and use AWS Secrets Manager.

Stripe API Key High

config.py:13

Live Stripe API key detected. This could allow unauthorized payment processing. Recommendation: Use restricted keys and environment variables.

GitHub Personal Access Token High

config.py:14

GitHub PAT detected. Could provide repository access or GitHub API access. Recommendation: Revoke token and use fine-grained tokens.

JWT Signing Secret High

config.py:17

Hardcoded JWT secret detected. Could allow token forgery attacks. Recommendation: Store in secure vault or environment variable.